Documentation - add working config example for goaccess with NGINX and systemd service

[cRoCx]

I have prepared a working configuration example of goaccess, running on my Raspberry Pi 5, with goaccess behind an NGINX reverse proxy. Feel free to copy it over as an example in the official documentation. While I was just setting it all up, I needed so many sources, including searching through Github issues and the like, where some missing pieces were hidden. Wish I had it all in one place, as one large complex example. Here it is for my setup and I hope others will find it useful.

NGINX -> sites-available -> example.com.conf

# sockets are generally more secure than ports, so we'll use them for a localhost installation.
upstream goaccess {
	server unix:/tmp/goaccess.sock;
}
server blablaconfig {
#[other server config]
	location /goaccess.html {
		# Btw. the CSP example in the website FAQ is faulty (as of 4 October 2025). This one is working.
		add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:;";
		# HTTP basic auth (optional)
		# auth_basic "GoAccess";
		# auth_basic_user_file /etc/nginx/.htpasswd;
	}
	location /ws {
		proxy_pass http://goaccess;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_buffering off;
		proxy_cache off;
		proxy_connect_timeout 60s;
		proxy_send_timeout 300s;
		proxy_read_timeout 300s;
	}
}

etc -> goaccess -> goaccess.conf (only changed/commented/uncommented entries from default config)

date-format %d/%b/%Y
log-format %h %^[%d:%t %^] "%r" %s %b "%R" "%u"
log-format COMBINED
addr 127.0.0.1
port 443
# goaccess shouldn't be daemonised if started by systemd. systemd takes care of it, so we don't change the default non-daemonise setting in goaccess.conf.
real-time-html true
ws-url example.com/ws
log-file /var/log/nginx/access.log
debug-file /var/log/nginx/goaccess-debug.log
output /var/www/o.okkm.de/goaccess.html
# MaxMind requires a paid subscription. Search GeoLite2-filenames directly online to obtain them for free.
geoip-database /usr/share/GeoIP/GeoLite2-ASN.mmdb
geoip-database /usr/share/GeoIP/GeoLite2-City.mmdb
geoip-database /usr/share/GeoIP/GeoLite2-Country.mmdb

etc -> systemd -> system -> goaccess.service

[Unit]
Description=GoAccess Real-Time NGINX access.log Analyzer
# Delete tailscaled.service if Tailscale VPN is not installed (free VPN)
After=network.target tailscaled.service nginx.service
Requires=network.target

[Service]
# The -j (number of threads) and --unix-socket options don't have a config file equivalent at the moment. Hence these parameters.
ExecStart=/usr/bin/goaccess --unix-socket=/tmp/goaccess.sock -j 4
PrivateTmp=false
Restart=on-failure
User=www-data
Group=www-data
# Deny other users access to the unix domain socket goaccess.sock and to goaccess.html
UMask=0027
# Optional security settings
ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
NoNewPrivileges=true
ReadWritePaths=/var/www/html/ /tmp/

[Install]
WantedBy=multi-user.target

[allinurl]

Thanks for sharing that!